Skip to main content

Common Architecture Label IPv6 Security Option (CALIPSO)
draft-stjohns-sipso-11

Revision differences

Document history

Date Rev. By Action
2012-08-22
11 (System) post-migration administrative database adjustment to the No Objection position for Pasi Eronen
2012-08-22
11 (System) post-migration administrative database adjustment to the Abstain position for Jari Arkko
2012-08-22
11 (System) post-migration administrative database adjustment to the No Objection position for Magnus Westerlund
2012-08-22
11 (System) post-migration administrative database adjustment to the Abstain position for Lars Eggert
2012-08-22
11 (System) post-migration administrative database adjustment to the No Objection position for Russ Housley
2012-08-22
11 (System) post-migration administrative database adjustment to the Abstain position for Ronald Bonica
2009-04-24
11 (System) IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor
2009-04-24
11 (System) IANA Action state changed to Waiting on RFC Editor from In Progress
2009-04-24
11 (System) IANA Action state changed to In Progress from Waiting on Authors
2009-04-24
11 (System) IANA Action state changed to Waiting on Authors from In Progress
2009-04-24
11 (System) IANA Action state changed to In Progress
2009-04-24
11 Cindy Morgan State Changes to RFC Ed Queue from Approved-announcement sent by Cindy Morgan
2009-04-24
11 Amy Vezza IESG state changed to Approved-announcement sent
2009-04-24
11 Amy Vezza IESG has approved the document
2009-04-24
11 Amy Vezza Closed "Approve" ballot
2009-04-21
11 Jari Arkko [Ballot Position Update] Position for Jari Arkko has been changed to Abstain from Discuss by Jari Arkko
2009-03-25
11 Lars Eggert [Ballot Position Update] Position for Lars Eggert has been changed to Abstain from Discuss by Lars Eggert
2009-03-06
11 (System) New version available: draft-stjohns-sipso-11.txt
2009-03-05
11 Ross Callon
[Ballot comment]
To me it appears that existing L3VPN technology, while widely deployed and therefore also widely implemented, is really not a great fit for …
[Ballot comment]
To me it appears that existing L3VPN technology, while widely deployed and therefore also widely implemented, is really not a great fit for the problem that this document is trying to solve. To a large extent L3VPNs rely on the service providers to correctly configure which sites go into which VPNs. This is great for L3VPNs (relieving private networks of significant effort), but seems wrong for what this document is doing. This is part of my motivation for entering a "no objection" vote.
2009-03-05
11 Ross Callon [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon
2009-03-04
11 Pasi Eronen [Ballot Position Update] Position for Pasi Eronen has been changed to No Objection from Discuss by Pasi Eronen
2009-03-03
10 (System) New version available: draft-stjohns-sipso-10.txt
2009-03-02
09 (System) New version available: draft-stjohns-sipso-09.txt
2009-02-20
08 (System) New version available: draft-stjohns-sipso-08.txt
2009-02-19
11 Ron Bonica [Ballot Position Update] Position for Ron Bonica has been changed to Abstain from Discuss by Ron Bonica
2009-02-19
11 Chris Newman [Ballot Position Update] Position for Chris Newman has been changed to Yes from No Objection by Chris Newman
2009-02-19
11 Chris Newman [Ballot comment]
The additional comments in -07 have improved this document to the level where I feel comfortable voting yes on this proposal.
2009-02-19
11 Russ Housley [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley
2009-02-19
11 Tim Polk Intended Status has been changed to Informational from Proposed Standard
2009-02-19
11 Cullen Jennings Intended Status has been changed to Proposed Standard from Informational
2009-02-19
11 Cullen Jennings Intended Status has been changed to Informational from Proposed Standard
2009-02-13
07 (System) New version available: draft-stjohns-sipso-07.txt
2009-01-30
11 Amy Vezza State Change Notice email list have been change to rja@extremenetworks.com, mstjohns@comcast.net, draft-stjohns-sipso@tools.ietf.org from rja@extremenetworks.com, Mike.StJohns@nominum.com, draft-stjohns-sipso@tools.ietf.org
2009-01-30
11 Amy Vezza State Changes to IESG Evaluation::AD Followup from Waiting for AD Go-Ahead by Amy Vezza
2009-01-30
11 (System) Removed from agenda for telechat - 2009-01-29
2009-01-29
11 Magnus Westerlund [Ballot Position Update] Position for Magnus Westerlund has been changed to No Objection from Discuss by Magnus Westerlund
2009-01-29
11 Dan Romascanu [Ballot comment]
I support the issues raised in the DISCUSSes of ROn and Lars.
2009-01-29
11 Jari Arkko
[Ballot discuss]
The IPv6 community has discussed the topic of hop-by-hop options
in general, and in this case there has no been no discussions about …
[Ballot discuss]
The IPv6 community has discussed the topic of hop-by-hop options
in general, and in this case there has no been no discussions about
this specific proposal in the 6MAN WG. This should be a requirement
for moving forward.

I also share the same general concerns others have on this document.
2009-01-29
11 Jari Arkko [Ballot Position Update] New position, Discuss, has been recorded by Jari Arkko
2009-01-29
11 Magnus Westerlund
[Ballot discuss]
What are the rules for providing IPv6 Options? I can't find anything specifying the rules. Could they just send in a registration request …
[Ballot discuss]
What are the rules for providing IPv6 Options? I can't find anything specifying the rules. Could they just send in a registration request and not publish the document? I don't understand how IANA evaluates request when there are no rules.

I would like the IESG to discuss this issue.
2009-01-29
11 Magnus Westerlund [Ballot Position Update] New position, Discuss, has been recorded by Magnus Westerlund
2009-01-29
11 Pasi Eronen
[Ballot discuss]
I support Lars's and Ron's discusses.

From the discussion so far, I also get the impression that we might
not have IETF Consensus …
[Ballot discuss]
I support Lars's and Ron's discusses.

From the discussion so far, I also get the impression that we might
not have IETF Consensus for the approach proposed in this document.

Adding to Lars's concern about transport protocols: In this draft,
there can be multiple simultaneous TCP connections with the same
five-tuple (proto, src, dst, src port, dst port).  That probably
means updating every middlebox in the network that uses the five-tuple
for its state -- and possibly many protocols that use addresses/port
numbers to identify connections (anything from RSVP to SDP to ICE to
BGP flow specs to RADIUS NAS-Filter-Rule attributes). That sounds bad.
2009-01-29
11 Pasi Eronen [Ballot Position Update] New position, Discuss, has been recorded by Pasi Eronen
2009-01-29
11 Lars Eggert
[Ballot discuss]
I'll shortly summarize my points from the discussion in Minneapolis. First, I believe that creating IP options (esp. a hop-by-hop options) for walled-gardens …
[Ballot discuss]
I'll shortly summarize my points from the discussion in Minneapolis. First, I believe that creating IP options (esp. a hop-by-hop options) for walled-gardens is inappropriate. We've been pushing back when other SDOs wanted to do this. I see no reason why this case is different. A second concern is that this proposal resurrects historic IPv4 technology for IPv6, when we have better protocol mechanisms available that would address the same set of requirements (cf. Ron's comment on VPN). Third, this draft is not just asking for an IP option number. It changes many more pieces of the architecture, e.g., how applications interact with transport protocols. Finally, there was no serious attempt to engage the IETF community on their strong last call comments. Pretty much the only change was to move the document to Informational, which is essentially irrelevant, because what matters is that an IP option number will be allocated by an IESG approval.

I'd like to discuss these issues on the call, to see if I'm on the rough side of the consensus here. I'll move to an abstain afterwards.
2009-01-29
11 Lars Eggert [Ballot Position Update] New position, Discuss, has been recorded by Lars Eggert
2009-01-28
11 Chris Newman [Ballot Position Update] New position, No Objection, has been recorded by Chris Newman
2009-01-28
11 Russ Housley
[Ballot discuss]
The Gen-ART Review by Elwyn Davies was posted on 28-Jan-2009.  The
  IANA related comment must be addressed before the document can be …
[Ballot discuss]
The Gen-ART Review by Elwyn Davies was posted on 28-Jan-2009.  The
  IANA related comment must be addressed before the document can be
  approved.  The other comments deserve consideration as well.

  s9.2: The authors have requested IESG assistance with the IANA
  considerations section. The section does not currently have a well
  defined allocation policy (it is sort of FCFS with expert review
  on the side).
2009-01-28
11 Russ Housley [Ballot Position Update] New position, Discuss, has been recorded by Russ Housley
2009-01-27
11 Ron Bonica [Ballot discuss]
Could you explain why the problem that you are solving can't be addressed with any of the existing VPN technologies (e.g. L3VPN).
2009-01-27
11 Ron Bonica [Ballot discuss]
Could you explain why the problem that you are solving can't be addressed with any of the existing VPN technologies (e.g. L3VPN).
2009-01-27
11 Ron Bonica [Ballot Position Update] New position, Discuss, has been recorded by Ron Bonica
2009-01-23
11 Sam Weiler Request for Telechat review by SECDIR is assigned to Sam Hartman
2009-01-23
11 Sam Weiler Request for Telechat review by SECDIR is assigned to Sam Hartman
2009-01-22
11 Tim Polk [Ballot Position Update] New position, Yes, has been recorded for Tim Polk
2009-01-22
11 Tim Polk Ballot has been issued by Tim Polk
2009-01-22
11 Tim Polk Created "Approve" ballot
2009-01-22
11 Tim Polk Placed on agenda for telechat - 2009-01-29 by Tim Polk
2008-12-02
06 (System) New version available: draft-stjohns-sipso-06.txt
2008-10-23
11 (System) State has been changed to Waiting for AD Go-Ahead from In Last Call by system
2008-10-17
11 Amanda Baber
IANA Last Call comments:

IESG Note: Expert Assignment Required for Action 2.

Action 1 (Section 9.1):

Upon approval of this document, the IANA will make …
IANA Last Call comments:

IESG Note: Expert Assignment Required for Action 2.

Action 1 (Section 9.1):

Upon approval of this document, the IANA will make the following assignments
in the "Internet Protocol Version 6 (IPv6) Parameters" registry located at
http://www.iana.org/assignments/ipv6-parameters
sub-registry "5.b. Options Types"

HEX act chg rest
--- --- --- -----
[TBD] 00 0 [TBD] CALIPSO [RFC-stjohns-sipso-05]


Action 2 (Section 9.1):

Upon approval of this document, the IANA will create the
registry "CALIPSO DOI Values" at http://www.iana.org/assignments/TBD

Registration Procedures:

DOI Value Organisation or Use


======================= ============================


0:0:0:0 Null DOI; MUST NOT be used
on any network at any time.
0:0:0:1 to 0:255:255:255 For private use among
consenting parties within
private networks; for reasons
of interoperability, these
DOI values MUST NOT ever
appear on the global public
Internet.
1:0:0:0 to 254:255:255:255 For assignment by IANA to
organisations following the
guidelines in the paragraph
below.
255:0:0:0 to 255:0:0:0 Reserved to the IETF for
future use by possible
revisions of this specification.

For the CALIPSO DOI values registry, IANA is requested to
issue a new DOI value to any organisation that requests it.
Any assignments made will be publicly available from the IANA
website.

DOI values beginning with decimcal 0:0:0 are reserved for
private use amongst consenting parties; values in this range
will not be allocated by IANA to any particular user or user
community. For reasons of interoperability, these DOI values
MUST NOT ever appear on the global public Internet.

A commercial organisation will normally only be assigned
at most two DOI values.

A single national government or multi-national treaty
organisation (e.g. NATO, UN) normally may be assigned up
to 10 CALIPSO DOI values, if that is requested. If a given
national government has NOT requested a set of national values,
then different government departments (e.g. Ministry of Defence,
Department of Energy, Department of Homeland Security) or
different states/provinces (e.g. Queensland, New South Wales)
within that given national government each normally may
independently request up to 2 different CALIPSO DOI values.

DOI values beginning with decimal 255 are reserved to
the IETF for use in future versions of this specification.
IESG approval is required for allocation of DOI values
within that range.

With respect to delegation in unclear circumstances, IANA
may ask the IESG to appoint "Designated Experts" to provide
advice.

Initial contents of this registry will be:

DOI Value Organization or Use Reference
--------- ------------------- ---------

We understand the above to be the only IANA Actions for this document.
2008-10-03
11 Sam Weiler Request for Last Call review by SECDIR Completed. Reviewer: Sam Hartman.
2008-09-26
11 Sam Weiler Request for Last Call review by SECDIR is assigned to Sam Hartman
2008-09-26
11 Sam Weiler Request for Last Call review by SECDIR is assigned to Sam Hartman
2008-09-25
11 Cindy Morgan Last call sent
2008-09-25
11 Cindy Morgan State Changes to In Last Call from Last Call Requested by Cindy Morgan
2008-09-25
11 Tim Polk State Changes to Last Call Requested from Publication Requested by Tim Polk
2008-09-25
11 Tim Polk Last Call was requested by Tim Polk
2008-09-25
11 (System) Ballot writeup text was added
2008-09-25
11 (System) Last call text was added
2008-09-25
11 (System) Ballot approval text was added
2008-09-25
11 Tim Polk Area acronymn has been changed to sec from gen
2008-09-25
11 Tim Polk Intended Status has been changed to Proposed Standard from None
2008-09-11
11 Tim Polk State Changes to Publication Requested from AD is watching by Tim Polk
2008-09-11
11 Tim Polk

Summary of draft-stjohns-sipso-05.txt;
Submitted on 11 September 2008.


1A>  Who is the Document Shepherd ?

  Randall Atkinson, who is also the active document …

Summary of draft-stjohns-sipso-05.txt;
Submitted on 11 September 2008.


1A>  Who is the Document Shepherd ?

  Randall Atkinson, who is also the active document editor.

1A>  Has the document Shepherd personally reviewed this
  version of the document and, in particular does s/he
  believe this version is ready for forwarding to the IESG
  for publication ?

  Yes.  Yes.

1B> Has the document had adequate review both from key WG
  members and from key non-WG members ?

  There is no related WG.  The document has had extensive
  review by both implementers and users.  There are no known
  unresolved issues.

1B> Does the Document Shepherd have concerns about the depth
  or breadth of the reviews that have been performed ?

  No.

1C> Does the document shepherd have concerns that the document
  needs more review from a particular or broader perspective ?
 
  No.

1D> Does the document shepherd have any specific concerns or issues
  with this document that the Responsible AD or IESG should be
  aware of ?

  No.

1E> How solid is the WG consensus behind this document ?

  This is an individual submission, not a WG document.

  The document shepherd believes that among the reviewers
  there is clear consensus that this document is adequate.

1F> Has anyone threatened an appeal or otherwise indicated
  extreme discontent ?

  No.

1G> Has the document shepherd personally verified that the
  document satisfies all I-D Nits ?

  Yes.  The document does not have an "intended status"
  text because that is a decision for the Sponsoring AD
  and IESG as a whole.

1H> Has the document split references into Normative and
  Informative subsections ?

  Yes.

1H> Are there normative references to documents that are
  in an unclear state or otherwise not ready for advancement ?

  No.

1H> Are there normative references that are downward references ?

  No.

1I> Has the document shepherd verified that the document's IANA
  Considerations section exists and is consistent with the body
  of the document ?

  Yes.  Yes. The IANA Considerations was last revised following
  guidance from the sponsoring AD (Tim Polk).

1I> Are the IANA registries clearly identified ?

  Yes.

1I> If the document creates a new registry, does it define the
  proposed initial contents and an allocation procedure ?

  Yes.

1I> Does it suggest a reasonable name for the new registry ?

  Yes.

1I>  If the document describes an expert review process,
  has shepherd conferred with the responsible AD so the IESG
  can appoint the needed expert during the IESG evaluation ?

  Yes.  Proposal is for Ran Atkinson to be the primary
  designated expert for questionable cases, with Mike
  StJohns as the designated backup expert.

1J> Has the document shepherd verified that sections of the
  document specified in a formal language validate correctly ?

  Not applicable. 

1K> Please provide a Document Announcement Write-Up.

  Please see bottom.

1K> Are there any existing implementations of this protocol ?

  No. 

  Several vendors have indicated interest in implementing
  this option as part of their mandatory access control
  features for hosts or routers.  It is believed likely that
  at least one open source operating system will implement
  this specification.  At least one router implementer has
  evaluated implementing support for this option in silicon,
  and is satisfied that this would be practical to do.


Technical Summary

  This document defines a new IPv6 Hop-by-Hop Option that
  will be used narrowly within multi-level secure network
  deployments.  This option is used to enable mandatory
  access controls (e.g. to prevent a MOST SECRET packet
  from being forwarded out an UNCLASSIFIED interface).

  This option is related to prior IPv4 work in the same area,
  specifically RFC-1038, RFC-1108 (IPSO), and FIPS-188 (CIPSO).
  Those IPv4 options are deployed by many countries and several
  financial institutions to provide mandatory access controls
  for IPv4 packets.  These IPv4 options are supported in some
  current commercial products.  For example, Cisco IOS, Sun
  Trusted Solaris, and SE-Linux support RFC-1108;  Sun Trusted
  Solaris, SGI IRIX, and SE-Linux also support FIPS-188.
 
  This must be an IPv6 Hop-by-Hop option because routers
  that have been enhanced to recognise this option are a
  critical point where mandatory access controls are applied.
  Because this option should never appear on the public
  global Internet, and because the option is part of a scheme
  for mandatory access controls, this option ought not create
  a denial-of-service issue for routers in the global Internet.


Working Group Summary

  This document is an individual submission, not the product
  of an IETF working group. 

  The document has been reviewed extensively by implementers
  at several different firms.  It also has been reviewed by
  users at multiple operational sites in multiple countries
  and organisations. 
 

Document Quality
 
  This document is acceptable to the reviewers that have provided
  input to the document.  No concerns about clarity have been
  received by the document editor or document shepherd.  This
  specification is much more detailed than the previous IPv4
  label option specifications were.

Personnel

  Randall Atkinson is the document shepherd, and is also
  the active document editor.
 
  Tim Polk is the sponsoring Area Director.


EOF
2008-08-25
05 (System) New version available: draft-stjohns-sipso-05.txt
2008-08-22
11 Tim Polk State Change Notice email list have been change to rja@extremenetworks.com, Mike.StJohns@nominum.com, draft-stjohns-sipso@tools.ietf.org from Mike.StJohns@nominum.com, draft-stjohns-sipso@tools.ietf.org
2008-08-22
11 Tim Polk Draft Added by Tim Polk in state AD is watching
2008-07-07
04 (System) New version available: draft-stjohns-sipso-04.txt
2008-05-22
03 (System) New version available: draft-stjohns-sipso-03.txt
2007-11-14
02 (System) New version available: draft-stjohns-sipso-02.txt
2007-04-11
01 (System) New version available: draft-stjohns-sipso-01.txt
2007-02-16
00 (System) New version available: draft-stjohns-sipso-00.txt